legal investigation in social media how to do it how not to do it n.
Skip this Video
Loading SlideShow in 5 Seconds..
Legal Investigation in Social Media: How to Do It; How Not to Do It PowerPoint Presentation
Download Presentation
Legal Investigation in Social Media: How to Do It; How Not to Do It

Legal Investigation in Social Media: How to Do It; How Not to Do It

129 Views Download Presentation
Download Presentation

Legal Investigation in Social Media: How to Do It; How Not to Do It

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Legal Investigation in Social Media: How to Do It; How Not to Do It Benjamin Wright, Attorney SANS Institute: “Law of Data Security & Investigations” This is not legal advice.

  2. Agenda • How to record evidence • Admissibility and authentication of evidence • Risks in collecting evidence • Methods for managing risks • The power of a “preservation letter” • General principles for guiding social media investigations

  3. Examples • Regulatory investigators gather evidence via social media • “Welfare cheat foiled by Facebook” • Based on Facebook videos, Hawaiian Humane Society issues citations; prosecutor to press charges

  4. Many Social Networks • Facebook, Twitter and LinkedIn are just a part of the topic • Many new social networks, like Google Plus, Quora, Instagram, Groupon, Pinterest, Touristlink • Thousands of blogs and special interest forums

  5. Different from Traditional Digital Forensics Investigations • Traditional: investigator has access to hardware that holds data • In web, cloud or social media investigation, investigator typically does not have direct access to hardware on which original data are stored • The data can change from minute to minute • Format of service changes from month to month • Service provider may or may not cooperate

  6. Rely on Witness Testimony • Ultimately, court looks to someone to testify about what happened & how it looked at a point in time • Two witnesses are better than one • Printout – most common form of social media investigative record • But printouts can be awkward and can miss a lot

  7. Screencast • Captures the look, the words, the images, the interactivity and inter-relationships from one page and link to the next • Captures webcam narration by witness – which can be compelling to judge and jury • Free, open-source tool: • Other products like Camtasia

  8. Many Posts and Demos of Screencast Evidence Capture • - live chat • - web activity • - online financial trades • - undercover police in social media • I welcome your comments, questions and criticism!

  9. Screencast Script • Create a unified package of evidence, integrating pages, links and testimony • Investigator – as eyewitness -- recorded by audio or webcam • Script of the investigator: • His identity, purpose & authority • Time and date • His statement of signature, taking responsibility for what he sees

  10. The Power of an Affidavit:Paper, Audio, Video or Other File • “I, Jane Doe, hereby affirm that I collected the following evidence in the way described.” Sign, date, notarize • Prevents Jane Does’ memory from wandering • Jane Doe may not work for, or cooperate with, you two years from now • Webcam signature is pretty convincing

  11. Corroborate Date and Time • State date and time in record/affidavit; then • Send record by enterprise email to multiple people (timestamp), or • Store the record on enterprise sharepoint, which shows audit trail with time, or • Upload record to a third party service like Microsoft skydrive, which records date

  12. Undercover Cops Example • Two witnesses • Record voice but no video • Mercer County prosecutor’s office, New Jersey – gang investigation •

  13. Investigative/Recording Tools • Vere Software • X1 Discovery • Hashbot • Iterasi web archiving service • Others • Each works differently • Regardless, an affidavit from a witness is helpful.

  14. Hook into APIs & Collect Meta Data

  15. Consider Terms of Service • Platform application developers and operators • Post privacy policy • "You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide a mechanism for users to make such a request. ... You will make it easy for users to remove or disconnect from your application."

  16. General Facebook Terms • • “If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.”

  17. Interpretation • Does this mean no one can, without consent, copy something from Facebook for purposes of an investigation? • I think not. • Making limited copies is generally accepted practice. • But the principle of “proportionality” is relevant.

  18. “Proportionality” • The scale of data collection matters • A broad, general principle from privacy and e-discovery law is that the collecting and management of data should be “proportionate” to the case (considering risks, costs, urgency and so on) • See blog articles and

  19. Admission of Evidence • Social media evidence is very commonly admitted into legal proceedings • Varying degrees of formality in proceedings • However, some criminal cases show skeptical courts • Criminal cases have higher standard of proof

  20. Authenticate Myspace • Griffin v. Maryland, No. 74 (Maryland; Apr. 28, 2011) - In murder trial, questions arise why a witness gives conflicting testimony. Prosecution tries to show defendant’s girlfriend threatened witness through Myspace. Court: Myspace evidence insufficiently authenticated. An imposter could have posted the message.

  21. Addressing the Authentication Issue: Law Enforcement Search Warrants • Can collect details from the service provider like IP address, time, application, mobile carrier and more • These details can help with authentication • Zachary Wolff, “Twitter: To log or not to log: Is that the question?”

  22. Alternative Ways to Authenticate Evidence • Interact with the user (if permitted) • Gather corroborating detail about user statements, activities and timeline • Corroborating details can be collected from multiple sources (Facebook, Twitter, special interest forums, games, phone, witnesses and so on)

  23. Risks: Ethical Limitations • New York State Bar Ethics Opinion 843 (9/10/2010); NY City Bar Formal Opinion 2010-2; San Diego County Bar Opinion 2011-2 • Lawyers may view public postings of adversaries • May not friend an adversary represented by a lawyer • May not use deception to friend someone

  24. No Trespassing Sign? • Pietrylo v. Hillstone Restaurant Group • Private Myspace forum: “talk about all the crap/drama/and gossip occurring in our workplace, without having to worry about outside eyes prying in.” • Management got password; fired employees • Jury: company must pay back wages and punitive damages

  25. Lessons from the Hillstone Case • Exercise restraint and discretion • Watch out for and evaluate claims of privacy • Careful with passwords that don’t belong to you

  26. Managing Risk:Restraint and Proportionality • Canada Privacy Commissioner (PIPEDA Case Summary #2009-019): employer may investigate if employee had violated employment contract • Principle: have a logical, evidence-based justification for getting sensitive information • Predicate evidence justifies getting more evidence, but only what is necessary • This principle is consistent with discovery principles in civil litigation

  27. Managing Risk:Interview the Subject First? • A formal HR interview or deposition puts pressure on subject to tell the truth • Yes, subject could delete data, but • Deletion of data itself is evidence of wrongdoing that could hang the subject • Deleting data is harder than it looks because copies are spread everywhere

  28. Power of a Preservation Letter • Letter puts adversary on notice not to destroy records • Focuses the adversary’s attention electronic evidence and all the steps that might be necessary to preserve •

  29. Legal Steps to Access Non-Public Data • Consent of the user • E-discovery demand to user • Informal request to social network • Subpoena to social network • Search warrant for law enforcement • Find the data in an alternative, public location

  30. Informal Request • Very commonly service providers – especially smaller ones – will cooperate with requests from government • Fugitive plays World of Warcraft • Howard County, Indiana, Sheriff sends polite letter to operator of game • Service provider reveals IP address, which leads to fugitive in Canada

  31. Civil Subpoenas for Content • Big service providers tend to resist • Smaller service providers may be more cooperative • Crispin v. Christian Audigier, Inc. • Civil subpoena to FB and Myspace quashed • Content protected under Stored Communications Act • May be difference between private messages and wall postings

  32. Alternative Locations for Evidence • Notices and copies to email or phone SMS (text) • Replication at other sites (my Facebook and LinkedIn repeat my tweets) • Sharing by friends • Cache on computer

  33. General Principles for Investigators • Keep thorough, signed, time-stamped records • Record your justification • Keep the methods and evidence capture proportionate and within the scope of the justification • User consent (employment application or terms of employment) reduces risk • Be creative to find the data

  34. Blog: benjaminwright.usGoogle Plus: This presentation is not legal advice for any particular situation. If you need legal advice, you should consult the lawyer who advises you or your organization. Use this material at your own risk. Anyone may reuse or reproduce it.